Configuring the Sametime Proxy server for SAML authentication

The Sametime Community server supports multiple authentication methods such as using a name and password, and Security Assertion Markup Language (SAML).

Before you begin

To use SAML with the Sametime Proxy server, you must first configure the Sametime Community server for SAML. Ensure that you have tested SAML authentication with the Sametime Community server before you attempt to enable SAML on the Sametime Proxy server.

There must be a separate Identity Provider (IdP) configuration for the Sametime Proxy server and the Sametime Community server. The IdP administrator must provide the user access login URL to the Sametime administrator for configuring the proxy server.

Only, IdP initiated sign-on is supported.

Each IdP varies in implementation, thus here are some guidelines for configuring your IdP:
Entity ID
The fully-qualified URL of the Sametime Proxy server. If using a load balancer, use the load balance name. For example: https://webchat.example.com.
SAML Assertion Consumer Service URL
The fully-qualified URL of the Sametime Proxy server, followed by the path: /stwebapi/user/connect. If you are using a load balancer, use the load balancer name. For example, https://webchat.example.com/stwebapi/user/connect.
Relay State
The same value as the SAML Assertion Consumer Service URL. For example, https://webchat.example.com/stwebapi/user/connect.
Log out URL
Sametime does not support the SAML logout specification, do not specify a value for this property.
NameID
The attribute returned to Sametime must be the mail attribute

About this task

The procedures below describe how to configure SAML authentication for the Sametime Proxy server. The Sametime Proxy server does not support multiple authentication methods. After SAML is enabled, basic name and password authentication is no longer allowed on the Sametime Proxy server. The Sametime Proxy server will continue to support LTPA Single Sign On with SAML enabled which is convenient for integration with other products such as HCL Verse, iNotes and Connections.

When you enable SAML for the Sametime Proxy server, the Sametime Meeting server leverages this feature for authenticating users. For additional meeting server configuration requirements, see Enabling SAML for Meetings.

Procedure

  1. Examine the URL provided to you from the IdP administrator. Check for illegal XML characters such as the ampersand (&), which needs to be escaped. The escape sequence for the ampersand (&) character is & and will replace any ampersands in your URL. For example, if the provided URL is: https://idp.example.com/exampletenant&appid=1234
  2. Append the following to the URL. 
    ?TARGET=https://fully-qualified_URL_SametimeProxyserver/chat
    For example, if the Sametime Proxy URL is https://webchat.example.com, then the combined URL for the Sametime Proxy configuration is: https://idp.example.com/exampletenant&appid=1234?TARGET=https://webchat.example.com/chat.
  3. Login the Sametime Proxy server and go to the conf directory where the proxy server is installed. Open the stproxyconfig.xml file and make the following changes:
    1. In the <server> section change the </SAMLAuth> to the following: 
      <SAMLAuth>true</SAMLAuth>
    2. Change the </IDPUrl> statement to the following: 
      <IDPUrl>insert_your_URL</IDPUrl>
      For example: 
      <IDPUrl>
 https://idp.example.com/exampletenant&appid=1234?TARGET=https://webchat.example.com/chat 
 </IDPUrl>
  4. Save and close the file.
  5. Restart the Sametime Proxy server.